dns resilient

Upload: mohamad-shidiq

Post on 25-Feb-2018

226 views

Category:

Documents


0 download

TRANSCRIPT

  • 7/25/2019 DNS Resilient

    1/263

    Introduction to

    Resilient TLD Operations

    John Crain

    Chris Evans

  • 7/25/2019 DNS Resilient

    2/263

    Welcome

    Thank you! APTLD Leonid Todorov

    ICANN Steve Conte & John Crain

    2

  • 7/25/2019 DNS Resilient

    3/263

    Introductions

    Name? Organization?

    Duties?

    3

  • 7/25/2019 DNS Resilient

    4/263

    Agenda

    DNS Fundamentals DNS TLD Registries

    Performance Monitoring

    DNS Threats

    Incident Management & Response

    Resilient Enterprises

    4

  • 7/25/2019 DNS Resilient

    5/263

    Administrivia

    During the course: Ask questions when you have them no need to wait Your experiences are valuable please share them

    Schedule can be flexiblejust ask!

    Course Web Page http://files.delta-risk.net/projects/ICANN-Jakarta/

    5

  • 7/25/2019 DNS Resilient

    6/263

    Questions before we begin?

    6

  • 7/25/2019 DNS Resilient

    7/263

    DNS FUNDAMENTALS

    7

  • 7/25/2019 DNS Resilient

    8/263

    What is the DNS?

    The DNS is a distributed and hierarchical system of servers

    which translates human readable names (identifiers) toaddresses

    This allows people to remember simple names (e.g.

    www.first.org instead of the actual server address,

    213.129.76.19)

    This is even more of a necessity with the advent of IPv6

    Instead of 12 numbers for an address, there are 32 characters!

    8

    The Domain Name System (DNS) helps users to find their way aroundthe Internet

    -- ICANN

    128.63.2.53 2001:500:1::803F:235H.ROOT-SERVERS.NET

    IPv4 IPv6

  • 7/25/2019 DNS Resilient

    9/263

    What is the DNS?

    Every computer accessible on the Internet has aunique address, something like a telephone number,called an IP address

    A unique name is given to each accessible computer,which maps to the IP address

    The DNS provides resolution of these names to IPaddresses in a very transparent manner

    9

    The DNS is Often Compared to a Telephone

    Book-- ICANN

  • 7/25/2019 DNS Resilient

    10/263

    What is the DNS?

    Key Elements of the DNS Resolution

    This is what the DNS does translates names to addresses

    Distributed

    There are literally millions of DNS servers all over the world. Thisadds resiliency to the system if one goes down there is usually

    another that can function in its place.

    Hierarchical

    Responsibility for a DNS server for any given domain is delegated

    to the respective owner of that domain, who, in turn, may

    outsource those functions to a provider.

    Consistent

    Ideally, the same answer is provided regardless of the DNS server

    being queried.10

    icann.org

    st.icann.org www.icann.org

  • 7/25/2019 DNS Resilient

    11/263

    A Brief History

    March 1982 - Ken Harrenstien (et all) releases RFC 811governing use of a hostname server with a centrallymanaged file which contains names and addresses.

    The ARPANetgrows People want local control

    November 1983 Paul Mokapetris releases RFC 882and RFC 883 governing the concepts and operation ofthe DNS.

    November 1987 Paul Mokapetris releases RFC 1033

    and RFC 1034 which refine the DNS.The core pieces havent changed since (23 years)

    11

  • 7/25/2019 DNS Resilient

    12/263

    DNS Operation

    At a core level, the DNS is comprised ofQueries and Answers.

    A user sends a query through a resolver to a

    server. The server responds with an answerto the query.

    12

    User DNS Server

    Query: What is www.icann.org?

    Answer: 192.0.32.7

  • 7/25/2019 DNS Resilient

    13/263

    DNS Operation

    A DNS packet is structured as such A packet can be up to 65535 bytes in length

    It can have multiple queries and answers.

    In theory most DNS servers will respond to only the first

    query and ignore the rest.

    13http://unixwiz.net/images/dns-query-packet.gif

    Thats a lot of room for malicious

    purposes

  • 7/25/2019 DNS Resilient

    14/263

    DNS Operation

    14

    User

    ISP

    Root

    .org

    icann

    .org

    pir

    .org

    first

    .org

  • 7/25/2019 DNS Resilient

    15/263

    DNS Operation

    15

    A Tree view of the DNS

    . (Root)

    .COM

    User

    ISP

    example.

    com

    www.example.com

    .ORG

    icann

    .org

    ftp.icann.org

  • 7/25/2019 DNS Resilient

    16/263

    DNS From Top To Bottom

    The Root Servers

    A collection of 13 serversaround the world, A M.

    Actually, there are 202servers, all mirrors of the

    same root zone data All are independently run by

    root operators

    16

    www.root-servers.org

    Highly redundant, resilient,

    with diverse implementations Provide pointers to the

    authoritative name servers

  • 7/25/2019 DNS Resilient

    17/263

    DNS From Top To Bottom

    Example of what the rootservers provide:

    BF. NS CASTOR.TELEGLOBE.NET.

    BF. NS NAHOURI.ONATEL.BF.

    BF. NS NS1.IRD.FR.

    BG. NS SUNIC.SUNET.SE.

    BG. NS NS-EXT.VIX.COM.BG. NS NS.REGISTER.BG.

    BG. NS NS-BG.RIPE.NET

    NAHOURI.ONATEL.BF. A 206.82.130.196

    AUTH01.CONNECT.IE. A 213.228.227.50

    OSI2.GUA.NET. A 205.161.188.3

    NS.PA. A 168.77.8.2PARAU.OYSTER.NET.CK. A 202.65.32.128

    PASCAL.NIC.PR. A 134.202.0.120

    NS2.CUHK.EDU.HK. A 137.189.6.21

    NS2.CUHK.EDU.HK. AAAA 2405:3000:3:60:0:0:0:21

    17

    These are the pointers to theauthoritative name servers

    for a domain

  • 7/25/2019 DNS Resilient

    18/263

    DNS From Top To Bottom

    Authoritative Servers Provides definitive

    answers to queries for

    resources in their

    domains

    ns.icann.org is an

    authoritative server for

    any queries to*.icann.org

    18

    These are usually delegated to the owner of the

    domain, but sometimes outsourced. These can be run by individuals, businesses,

    organizations, governments, really, anyone!

  • 7/25/2019 DNS Resilient

    19/263

    DNS From Top to Bottom

    Authoritative servers publish Registration &Delegation information

    When a user requests a new name to be added to the

    DNS, its called a registration

    When the registry assigns the name to the user, its calleda delegation they become the owners of the domain

    and responsibility for any sub-domains falls to them.

    Typically, their name, contact, and billing information is all

    thats required but this varies greatly!

    19

    Theres no standard for registrations or

    delegations so Ill pick whichever has the least

    restrictive policies!

  • 7/25/2019 DNS Resilient

    20/263

    DNS From Top to Bottom

    An example of a registration on a BIND DNS server We control the .foo domain

    A registrant wants to register a host www.foo they choose the name

    and provide an IP address

    20

    Registrations are not typically made at the top level domain delegations are

    usually done here.

    New Registration

  • 7/25/2019 DNS Resilient

    21/263

    If we query for our new registration, well seeit

    DNS From Top to Bottom

    21

    New Registration

  • 7/25/2019 DNS Resilient

    22/263

    An example of a delegation on a BIND DNS server We control the .foo domain

    A registrant wants to register a subdomain oof they

    choose the name, and provide authoritative nameserver

    information

    DNS From Top to Bottom

    22

    New Delegation

  • 7/25/2019 DNS Resilient

    23/263

    Any queries for the new subdomain should failbecause the authoritative nameserver doesnt exist

    (aka a lame delegation)

    DNS From Top to Bottom

    23

    Queries to the

    Authoritative

    Server

  • 7/25/2019 DNS Resilient

    24/263

    DNS From Top To Bottom

    Caching / Recursive Servers

    These servers interface with

    authoritative servers to answer

    queries.

    Answers are cached to speed

    up responses to users and reducetraffic to root servers

    24

    Usually run by ISPs for customers,

    but should be configured for

    customer use only!

    There are many of these

    servers on the net

    Open resolvers answer queries from

    anyone on the net.

    See http://dns.measurement-

    factory.com/surveys/openresolver

    s.html for more information!

  • 7/25/2019 DNS Resilient

    25/263

    DNS From Top To Bottom

    Users & Stub Resolvers

    Not just people, these could also

    be applications & servers

    A stub resolver is a simple

    utility which forms queries and

    asks a recursive server for theanswer.

    Remember, users also can be

    registrants the people who

    register domain names

    25

    An operating system will typically

    provide a stub resolver for its users

  • 7/25/2019 DNS Resilient

    26/263

    DNS From Top To Bottom

    The DNS Should be Considered Critical Infrastructure,and as such, it has a lot of resilience built-in to thesystem: Primary and Secondary Servers a zone may have several

    servers which respond to queries

    Hidden Masters the master server cant be querieddirectly it merely replicates data to the Slave servers

    Anycasted Servers BGP routing forward queries toclosest server

    How Does All of This Stay in Sync? Zone Transfers (aka AXFR) secondary requests update

    from primary

    26

  • 7/25/2019 DNS Resilient

    27/263

    DNS TLD REGISTRIES

    27

  • 7/25/2019 DNS Resilient

    28/263

    Registry Structures

    Registries Come in All Shapes and Sizes Structure, Technical Implementation, Goals &

    Policies

    Models Define How the Registry Operates 2R vs. 3R

    Thick vs. Thin

    2 vs. 3 Levels

    28

  • 7/25/2019 DNS Resilient

    29/263

    Registry Structures

    Registry 2R Model Registry - Registrant

    Registry provides direct registrations to consumers

    Registrants request domains directly through registry

    29

    Registry

    RegistrantRegistrant

    Simple model

    Doesnt scale without

    lots of work from registry

    Direct customer

    relationships

  • 7/25/2019 DNS Resilient

    30/263

    Registry Structures

    Registry 2R Model Registry - Registrant

    Registry provides direct registrations to consumers

    Registrants request domains directly through registry or

    optionally through a direct reseller

    30

    Simple model

    Direct customer

    relationships

    Offloads some customer

    interface work fromregistry to reseller

    Registry

    Registrant

    Registrant

    Reseller

  • 7/25/2019 DNS Resilient

    31/263

    Registry Structures

    Registry 3R Model Registry Registrar Registrant

    Registrars interface between customer and registry

    31

    More stakeholders ->

    more policies / business

    models

    Less work for registry(automation / EPP)

    Focus on DNS services

    Registry

    Registrant

    Reseller

    Registrar

    Registrant

    Registrar

  • 7/25/2019 DNS Resilient

    32/263

    Registry Structures

    Registries can define WHERE their customeradministrative data resides (WHOIS)

    Thick the registry stores all customer data for

    registrations regardless of _WHERE_ it originates (direct,

    registrar) Thin Registrars manage all customer data for their

    registrants and serve this information via WHOIS

    32

    TLD

    WHOIS

    TLD

    WHOIS

    Registrar

    Registrar

    Th ick Th in

    Registrar

  • 7/25/2019 DNS Resilient

    33/263

    Registry Structures

    Registries define how subdomains are permittedeither at the top or second level.

    Top level delegations fall immediately under the

    top level

    E.g. www.google.jo

    Second level delegations fall under a generic

    domain, under the top level

    E.g. www.moict.gov.jo

    Registries can pick one or the other, or do both!

    33

    http://www.google.jo/http://www.moict.gov.jo/http://www.moict.gov.jo/http://www.google.jo/
  • 7/25/2019 DNS Resilient

    34/263

    Notional ccTLD Architecture

    Combining Robustness & Resiliency

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    34

  • 7/25/2019 DNS Resilient

    35/263

    Notional ccTLD Architecture

    Registrant Requests Assignment, Updates, Removal

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    35

  • 7/25/2019 DNS Resilient

    36/263

    Notional ccTLD Architecture

    Authentication for Registrant Requests

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    36

  • 7/25/2019 DNS Resilient

    37/263

    Notional ccTLD Architecture

    Authorization for Internal

    Registrar Changes

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    37

  • 7/25/2019 DNS Resilient

    38/263

    Notional ccTLD Architecture

    Entire Registry Offsite Backup

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    38

  • 7/25/2019 DNS Resilient

    39/263

    Notional ccTLD Architecture

    Registry Publishes and Maintains Assignments

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    39

  • 7/25/2019 DNS Resilient

    40/263

    Notional ccTLD Architecture

    Alternate Registry Server and Database

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    40

  • 7/25/2019 DNS Resilient

    41/263

    Notional ccTLD Architecture

    Country Localized DNS Servers

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    41

  • 7/25/2019 DNS Resilient

    42/263

    Notional ccTLD Architecture

    Country Localized User

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    42

  • 7/25/2019 DNS Resilient

    43/263

    Notional ccTLD Architecture

    Firewall

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    43

  • 7/25/2019 DNS Resilient

    44/263

    Notional ccTLD Architecture

    Primary Global DNS

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    44

  • 7/25/2019 DNS Resilient

    45/263

    Notional ccTLD Architecture

    Primary External Gateway

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    45

  • 7/25/2019 DNS Resilient

    46/263

    Notional ccTLD Architecture

    Secondary Global DNS Server

    Anycasting with Geographic Separation

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    46

  • 7/25/2019 DNS Resilient

    47/263

    Notional ccTLD Architecture

    Secondary External Gateway

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    47

  • 7/25/2019 DNS Resilient

    48/263

    Notional ccTLD Architecture

    International User

    Registrant

    NS2

    NS1

    User

    NS4

    NS3Internal

    Internal

    External

    External

    InternationalUser

    48

  • 7/25/2019 DNS Resilient

    49/263

    Policies

    Policies govern how registries operate, from internal

    workings to dealing with customers.

    Policies can be derived from operational necessities,

    business goals, or best practices in use by other registries

    Policies vary by registry and vary nearly as widely as theregistries themselves.

    Its important for registries to define policies to respond and

    operate in a consistent manner

    Frequently, there is no right or wrong policy what mattersis the registrys definition of that policy.

    49

    The wrong policy is NO policy

  • 7/25/2019 DNS Resilient

    50/263

    Policy

    Registrant Requirements This policy defines the requirements to register a

    domain with the registry; specifically addresses issueslike residency or ownership

    Things that may restrict registrations to only localor national entities: Desire to limit competition from foreign entities

    Desire for nationalism

    Things that may encourage registration fromforeign entities: Access to a larger pool of customers

    50

  • 7/25/2019 DNS Resilient

    51/263

    Policy

    Dispute Resolution A controversial subject; one that is used infrequently, but

    must be defined before its needed!

    Disputes may arise between potential registrants for adomain name each claiming the right to register it,

    - or -

    - Disputes may arise between current registrant a one thatdesires ownership of the domain

    Policy should define the notion of ownership, the

    process of determining ownership, and process forarbitrating a claim of ownership First come / first served = ownership

    International trademark or copyright = ownership

    51

  • 7/25/2019 DNS Resilient

    52/263

    Policy

    Registration Process This policy defines how the registry accepts requests

    for registrations, validates, and publishes them

    Usually defined by operational necessity Larger registries that process hundreds of registrations per

    day will use automated processes as much as possible Smaller registries may use manual processes

    Policy should cover registrant data verification

    Automated, multi-factor, out-of-band, etc Desire to detect and restrict malicious registrations?

    How should the registry define malicious?

    52

    Tough

    Question!

  • 7/25/2019 DNS Resilient

    53/263

    Policy

    Information Release (WHOIS) This policy defines how the registry handles privacy

    information and what information it publicly publishes

    The traditional approach is to publish administrative andtechnical point of contact information for each domain

    BUT, some registries / registrars offer a anonymous registrationservice which publishes empty or generic information

    This may be governed by local, national, or organizationalprivacy policies.

    This policy should cover what information can bepublished, to who & where, how the policy isconveyed to registrants, and what to release to lawenforcement or government agencies.

    53

  • 7/25/2019 DNS Resilient

    54/263

    Policy

    Pricing / Funding Model This policy defines how much domain registrations, their

    renewal, transfer or other action cost.

    Additional or value-added services may also be defined

    This policy should address costs to registrants, registrarsand resellers accordingly and is likely defined by theregistrys business model. Registries set their own prices, from free to $$$$

    Some registries are funded by their governments, some arenon-profits, some are for-profit corporations.

    Competition with gTLDs (e.g. .COM) may drive pricing decisions Prices may be different for local and foreign registrants, for

    resellers, and for registrars

    54

    l

  • 7/25/2019 DNS Resilient

    55/263

    Policy

    Permissible Registrations This policy defines what domain names may be

    registered

    Factors affecting permissible registrations: Religion & Culture some names may be offensive

    Technical some characters are disallowed by theRFC, or some may not be allowed by the registrysystem

    Operational International Domain Names may notbe supported

    Business some names may be restricted based oninternational trademarks or intellectual property

    55

    li

  • 7/25/2019 DNS Resilient

    56/263

    Policy

    Takedown

    A very controversial topic, this defines how the registrymay temporarily or permanently deactivate a registration

    More importantly, under what circumstances it may do so.

    Policy should account for:

    Business concerns / loss of revenue

    Upset customers?

    Malicious use (what is malicious?)

    Legality of denying freedom of speech

    Fallout of not following a government / law enforcementorder

    56

    h i l l

  • 7/25/2019 DNS Resilient

    57/263

    A Hypothetical Example

    Lets take the simple example of a registration made for the purpose

    of conducting a phishing attack. The domain name closely resembles that used by an international

    bank

    The registrant provides fake name and address for registration

    The registrant uses the domain to propagate a phishing attack,

    soliciting bank customers for their usernames and passwords.

    Whos responsible and whos accountable? The malicious registrant? How do you find him?

    The registry? They didnt validate the registrant but they get 5000

    registrations a day how can they? The bank? They didnt educate their customers on phishing attacks

    The bank user?

    57

    T k A

  • 7/25/2019 DNS Resilient

    58/263

    Take Aways

    The DNS operationally is simple; organizationally, its a much

    different story there are many (widely varying) stakeholders

    involved

    Policies define how registries operate, but are frequently ill-

    defined and untested

    Unlike the traditional network security world, which has

    CERTs and NOCs focusing on operating systems and

    applications, the DNS has no equivalent structure for focusing

    on security

    58

  • 7/25/2019 DNS Resilient

    59/263

    PERFORMANCE MONITORING

    59

    N t k P f M t i

  • 7/25/2019 DNS Resilient

    60/263

    Planning performance management

    Metrics

    Network

    Systems

    Services

    Definitions

    Adapted from IROC Hervey Allen & Phil Regnauld - NSRC

    Network Performance Metrics

    Pl i

  • 7/25/2019 DNS Resilient

    61/263

    What's the intention?Baselining, Troubleshooting, Planning growth

    Defend yourself from accusations -it's the network!

    Who is the information for?Administration, NOC, customers

    How to structure and present the information

    Reach: Can I measure everything? Impact on devices (measurements and measuring)

    Balance between amount of information and time to get

    it

    Planning

    M t i

  • 7/25/2019 DNS Resilient

    62/263

    Metrics

    Network performance metrics Channel capacity, nominal & effective

    Channel utilization

    Delay and jitter Packet loss and errors

    62

    M t i

  • 7/25/2019 DNS Resilient

    63/263

    Metrics

    System performance metrics Availability

    Memory, CPU Utilization, load, I/O wait, etc.

    Service performance metrics Wait time / Delay

    Availability

    How can I justify maintaining the service? Who is using it? How often?

    Economic value? Other value?

    63

    Common Network Performance

  • 7/25/2019 DNS Resilient

    64/263

    Measurements

    Relative to traffic: Bits per second

    Packets per second

    Unicast vs. non-unicast packets

    Errors

    Dropped packets

    Flows per second

    Round trip time (RTT)

    Jitter (variation between packet RTT)

    64

    N i l Ch l C it

  • 7/25/2019 DNS Resilient

    65/263

    Nominal Channel Capacity

    The maximum number of bits that can betransmitted for a unit of time (eg: bits per second)

    Depends on:

    Bandwidth of the physical medium

    Cable Electromagnetic waves

    Processing capacity for each transmission element

    Efficiency of algorithms in use to access medium

    Channel encoding and compression

    65

    Effective Channel Capacity

  • 7/25/2019 DNS Resilient

    66/263

    Effective Channel Capacity

    Always a fraction of the nominal channelcapacity

    Dependent on:

    Additional overhead of protocols in each layer Device limitations on both ends

    Flow control algorithm efficiency, etc.

    For example: TCP

    66

    Channel Utilization

  • 7/25/2019 DNS Resilient

    67/263

    Channel Utilization

    What fraction of the nominal channelcapacity is actually in use

    Important!

    Future planning What utilization growth rate am I seeing?

    For when should I plan on buying additional capacity?

    Where should I invest for my updates?

    Problem resolution Where are my bottlenecks, etc.

    67

    95th Percentile

  • 7/25/2019 DNS Resilient

    68/263

    95th Percentile

    The smallest value that is larger than 95% of the

    values in a given sample

    This means that 95% of the time the channel

    utilization is equal to or less than this value

    Or rather, the peaks are discarded from consideration

    Why is this important in networks?

    Gives you an idea of the standard, sustained channel

    utilization.

    ISPs use this measure to bill customers with larger

    connections.

    68

    95th Percentile

  • 7/25/2019 DNS Resilient

    69/263

    95th Percentile

    Example of traffic above 95% of normal

    69

    Bits per second vs Packets p s

  • 7/25/2019 DNS Resilient

    70/263

    Bits per second vs Packets p.s.

    70

    End to end Delay

  • 7/25/2019 DNS Resilient

    71/263

    End-to-end Delay

    The time required to transmit a packet alongits entire path

    Created by an application, handed over to the OS,

    passed to a network card (NIC), encoded,

    transmitted over a physical medium (copper,fibre, air), received by an intermediate device

    (switch, router), analyzed, retransmitted over

    another medium, etc.

    The most common measurement uses ping for

    total round-trip-time (RTT).

    71

    Historical Measurement of Delay

  • 7/25/2019 DNS Resilient

    72/263

    Historical Measurement of Delay

    Example of RTT measurements over 30 hours

    72

    Jitter

  • 7/25/2019 DNS Resilient

    73/263

    Jitter

    From Smokeping

    73

    Local Analysis

  • 7/25/2019 DNS Resilient

    74/263

    Local Analysis

    As we know...

    Before we blame the network, let's verify

    whether the problem is ours.

    What can go wrong locally?

    Hardware problems

    Excessive load (CPU, memory, I/O)

    What's considered 'normal'?

    Use analysis tools frequently Become familiar with the normal state and values

    for your machine.

    It is essential to maintain history

    SNMP agents and databases74

    Linux Performance Analysis

  • 7/25/2019 DNS Resilient

    75/263

    Linux Performance Analysis

    Three main categories:

    Processes

    Processes that are executing (running)

    Processes that are waiting (sleeping)

    waiting their turn

    blocked

    Memory

    Real

    Virtual

    I/O (Input/Output) Storage

    Network

    75

    Key Indicators

  • 7/25/2019 DNS Resilient

    76/263

    Key Indicators

    Insufficient CPU

    Number of processes waiting to execute is always high

    High CPU utilization (load avg.)

    Insufficient memory

    Very little free memory

    Lots of swap activity (swap in, swap out)

    Slow I/O

    Lots of blocked processes

    High number of block transfers

    76

    Local Analysis

  • 7/25/2019 DNS Resilient

    77/263

    Local Analysis

    Luckily, in Unix there are dozens of useful

    tools that give us lots of useful information

    about our machine

    Some of the more well-known include:

    vmstat - tcpdump top - wireshark (ethereal)

    lsof - iptraf

    netstat - iperf

    77

    vmstat

  • 7/25/2019 DNS Resilient

    78/263

    vmstat

    Show periodic summary information aboutprocesses, memory, pagin, I/O, CPU state, etc

    vmstat # vmstat 2procs -----------memory---------- ---swap-- -----io---- --system-- ----cpu----r b swpd free buff cache si so bi bo in cs us sy id wa2 0 209648 25552 571332 2804876 0 0 3 4 3 3 15 11 73 02 0 209648 24680 571332 2804900 0 0 0 444 273 79356 16 16 68 01 0 209648 25216 571336 2804904 0 0 6 1234 439 46735 16 10 74 01 0 209648 25212 571336 2804904 0 0 0 22 159 100282 17 21 62 0

    2 0 209648 25196 571348 2804912 0 0 0 500 270 82455 14 18 68 01 0 209648 25192 571348 2804912 0 0 0 272 243 77480 16 15 69 02 0 209648 25880 571360 2804916 0 0 0 444 255 83619 16 14 69 02 0 209648 25872 571360 2804920 0 0 0 178 220 90521 16 18 66 0

    78

    top

  • 7/25/2019 DNS Resilient

    79/263

    top

    Basic performance tool for Unix/Linuxenvironments

    Periodically show a list of system performance

    statistics:

    CPU use

    RAM and SWAP memory usage

    Load average (cpu utilization)

    Information by process

    79

    top cont

  • 7/25/2019 DNS Resilient

    80/263

    top cont.

    Information by process (most relevantcolumns shown):

    PID: Process ID

    USER: user running (owner) of the process

    %CPU: Percentage of CPU utilization by the

    process since the last sample

    %MEM: Percentage of physical memory (RAM)

    used by the process TIME: Total CPU time used by the process since it

    was started

    80

    netstat

  • 7/25/2019 DNS Resilient

    81/263

    netstat

    Show us information about: Network connections

    Routing tables

    Interface (NIC) statistics

    Multicast group members

    81

  • 7/25/2019 DNS Resilient

    82/263

    netstat

  • 7/25/2019 DNS Resilient

    83/263

    netstat

    Examples:# netstat -n --tcp -cActive Internet connections (w/o servers)Proto Recv-Q Send-Q Local Address Foreign Address Statetcp 0 272 ::ffff:192.188.51.40:22 ::ffff:128.223.60.27:60968 ESTABLISHEDtcp 0 0 ::ffff:192.188.51.40:22 ::ffff:128.223.60.27:53219 ESTABLISHED

    # netstat -lnp --tcpActive Internet connections (only servers)

    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nametcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN 11645/snmpdtcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1997/mysqld

    # netstat -icKernel Interface tableIface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flgeth0 1500 0 2155901 0 0 0 339116 0 0 0 BMRUlo 16436 0 18200 0 0 0 18200 0 0 0 LRU

    eth0 1500 0 2155905 0 0 0 339117 0 0 0 BMRUlo 16436 0 18200 0 0 0 18200 0 0 0 LRUeth0 1500 0 2155907 0 0 0 339120 0 0 0 BMRUlo 16436 0 18200 0 0 0 18200 0 0 0 LRUeth0 1500 0 2155910 0 0 0 339122 0 0 0 BMRUlo 16436 0 18200 0 0 0 18200 0 0 0 LRUeth0 1500 0 2155913 0 0 0 339124 0 0 0 BMRU

    83

    netstat cont.

  • 7/25/2019 DNS Resilient

    84/263

    netstat cont.

    Examples:# netstat tcp listening --programActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

    tcp 0 0 *:5001 *:* LISTEN 13598/iperftcp 0 0 localhost:mysql *:* LISTEN 5586/mysqld

    tcp 0 0 *:www *:* LISTEN 7246/apache2

    tcp 0 0 t60-2.local:domain *:* LISTEN 5378/named

    tcp 0 0 t60-2.local:domain *:* LISTEN 5378/namedtcp 0 0 t60-2.local:domain *:* LISTEN 5378/named

    tcp 0 0 localhost:domain *:* LISTEN 5378/named

    tcp 0 0 localhost:ipp *:* LISTEN 5522/cupsdtcp 0 0 localhost:smtp *:* LISTEN 6772/exim4

    tcp 0 0 localhost:953 *:* LISTEN 5378/named

    tcp 0 0 *:https *:* LISTEN 7246/apache2tcp6 0 0 [::]:ftp [::]:* LISTEN 7185/proftpd

    tcp6 0 0 [::]:domain [::]:* LISTEN 5378/named

    tcp6 0 0 [::]:ssh [::]:* LISTEN 5427/sshd

    tcp6 0 0 [::]:3000 [::]:* LISTEN 17644/ntoptcp6 0 0 ip6-localhost:953 [::]:* LISTEN 5378/namedtcp6 0 0 [::]:3005 [::]:* LISTEN 17644/ntop

    84

    netstat cont.

  • 7/25/2019 DNS Resilient

    85/263

    $ sudo netstat -atup

    Active Internet connections (servers and established) (if run as root PID/Program name isincluded)

    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

    tcp 0 0 *:35586 *:* LISTEN 2540/ekpd

    tcp 0 0 localhost:mysql *:* LISTEN 2776/mysqldtcp 0 0 *:www *:* LISTEN 14743/apache2

    tcp 0 0 d229-231.uoregon:domain *:* LISTEN 2616/named

    tcp 0 0 *:ftp *:* LISTEN 3408/vsftpdtcp 0 0 localhost:domain *:* LISTEN 2616/named

    tcp 0 0 *:ssh *:* LISTEN 2675/sshd

    tcp 0 0 localhost:ipp *:* LISTEN 3853/cupsd

    tcp 0 0 localhost:smtp *:* LISTEN 3225/exim4tcp 0 0 localhost:953 *:* LISTEN 2616/named

    tcp 0 0 *:https *:* LISTEN 14743/apache2

    tcp6 0 0 [::]:domain [::]:* LISTEN 2616/namedtcp6 0 0 [::]:ssh [::]:* LISTEN 2675/sshd

    tcp6 0 0 ip6-localhost:953 [::]:* LISTEN 2616/named

    udp 0 0 *:50842 *:* 3828/avahi-daemon:udp 0 0 localhost:snmp *:* 3368/snmpd

    udp 0 0 d229-231.uoregon:domain *:* 2616/namedudp 0 0 localhost:domain *:* 2616/named

    udp 0 0 *:bootpc *:* 13237/dhclientudp 0 0 *:mdns *:* 3828/avahi-daemon:

    udp 0 0 d229-231.uoregon.ed:ntp *:* 3555/ntpd

    udp 0 0 localhost:ntp *:* 3555/ntpdudp 0 0 *:ntp *:* 3555/ntpd

    udp6 0 0 [::]:domain [::]:* 2616/named

    udp6 0 0 fe80::213:2ff:fe1f::ntp [::]:* 3555/ntpdudp6 0 0 ip6-localhost:ntp [::]:* 3555/ntpd

    udp6 0 0 [::]:ntp [::]:* 3555/ntpd

    netstat cont.

    85

    lsof (LiSt of Open Files)

  • 7/25/2019 DNS Resilient

    86/263

    lsof (LiSt of Open Files)

    lsof is particularly useful because in Unixeverything is a file: unix sockets, ip sockets,

    directories, etc.

    Allows you to associate open files by:

    -p: PID (Process ID)

    -i : A network address (protocol:port)

    -u: A user

    86

    lsof

  • 7/25/2019 DNS Resilient

    87/263

    lsof

    Example: First, using netstat -lntcp determine that port6010 is open and waiting for a connection

    (LISTEN)

    # netstat -ln --tcpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State

    tcp 0 0 127.0.0.1:6010 0.0.0.0:* LISTEN

    tcp 0 0 127.0.0.1:6011 0.0.0.0:* LISTEN

    87

    lsof

  • 7/25/2019 DNS Resilient

    88/263

    lsof

    Determine what process has the port (6010) open

    and what other resources are being used:# lsof -i tcp:6010COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEsshd 10301 root 6u IPv4 53603 TCP localhost.localdomain:x11-ssh-offset (LISTEN)sshd 10301 root 7u IPv6 53604 TCP [::1]:x11-ssh-offset (LISTEN)

    # lsof -p 10301COMMAND PID USER FD TYPE DEVICE SIZE NODE NAMEsshd 10301 root cwd DIR 8,2 4096 2 /sshd 10301 root rtd DIR 8,2 4096 2 /sshd 10301 root txt REG 8,2 379720 1422643 /usr/sbin/sshdsshd 10301 root mem REG 8,2 32724 1437533 /usr/lib/libwrap.so.0.7.6sshd 10301 root mem REG 8,2 15088 3080329 /lib/libutil-2.4.sosshd 10301 root mem REG 8,2 75632 1414093 /usr/lib/libz.so.1.2.3

    sshd 10301 root mem REG 8,2 96040 3080209 /lib/libnsl-2.4.sosshd 10301 root mem REG 8,2 100208 1414578 /usr/lib/libgssapi_krb5.so.2.2sshd 10301 root mem REG 8,2 11684 1414405 /usr/lib/libkrb5support.so.0.0sshd 10301 root mem REG 8,2 10368 3080358 /lib/libsetrans.so.0sshd 10301 root mem REG 8,2 7972 3080231 /lib/libcom_err.so.2.1sshd 10301 root mem REG 8,2 30140 1420233 /usr/lib/libcrack.so.2.8.0sshd 10301 root mem REG 8,2 11168 3080399 /lib/security/pam_succeed_if.so...

    88

    lsof cont.

  • 7/25/2019 DNS Resilient

    89/263

    lsof cont.

    What network services am I running?# lsof -iCOMMAND PID USER FD TYPE DEVICE SIZE NODE NAME

    firefox 4429 hervey 50u IPv4 1875852 TCP 192.168.179.139:56890-

    >128.223.60.21:www (ESTABLISHEDnamed 5378 bind 20u IPv6 13264 TCP *:domain (LISTEN)

    named 5378 bind 21u IPv4 13267 TCP localhost:domain (LISTEN)

    sshd 5427 root 3u IPv6 13302 TCP *:ssh (LISTEN)

    cupsd 5522 root 3u IPv4 1983466 TCP localhost:ipp (LISTEN)mysqld 5586 mysql 10u IPv4 13548 TCP localhost:mysql (LISTEN)

    snmpd 6477 snmp 8u IPv4 14633 UDP localhost:snmp

    exim4 6772 Debian-exim 3u IPv4 14675 TCP localhost:smtp (LISTEN)ntpd 6859 ntp 16u IPv4 14743 UDP *:ntp

    ntpd 6859 ntp 17u IPv6 14744 UDP *:ntp

    ntpd 6859 ntp 18u IPv6 14746 UDP [fe80::250:56ff:fec0:8]:ntpntpd 6859 ntp 19u IPv6 14747 UDP ip6-localhost:ntp

    proftpd 7185 proftpd 1u IPv6 15718 TCP *:ftp (LISTEN)

    apache2 7246 www-data 3u IPv4 15915 TCP *:www (LISTEN)

    apache2 7246 www-data 4u IPv4 15917 TCP *:https (LISTEN)...

    iperf 13598 root 3u IPv4 1996053 TCP *:5001 (LISTEN)

    apache2 27088 www-data 3u IPv4 15915 TCP *:www (LISTEN)apache2 27088 www-data 4u IPv4 15917 TCP *:https (LISTEN)

    89

    iptraf

  • 7/25/2019 DNS Resilient

    90/263

    iptraf

    Many measurable statistics and functions By protocol/port

    By packet size

    Generates logs

    Utilizes DNS to translate addresses

    Advantages

    Simplicity

    Menu-based (uses curses)

    Flexible configuration

    90

    iptraf

  • 7/25/2019 DNS Resilient

    91/263

    pt a

    You can run it periodically in the background(-B)

    It allows you, for example, to run as a cron job to

    periodically analyze logs.

    Generate alarms

    Save in a data base

    Has a great name... Interactive Colorful IP LAN

    Monitor

    etc...

    Example: iptraf -i eth1

    91

    iptrafi eth0

  • 7/25/2019 DNS Resilient

    92/263

    p

    Sample iptrafoutput from the above command:

    92

    iperf

  • 7/25/2019 DNS Resilient

    93/263

    p

    To measure network throughput between two

    points

    iperf has two modes, server and

    client

    Easy to use Great to help determine optimal TCP parameters

    TCP window size (socket buffer)

    MTU maximum segment size See man iperf for more

    93

    iperf

  • 7/25/2019 DNS Resilient

    94/263

    p

    Using UDP you can generate packet loss and jitter

    reports

    You can run multiple parallel sessions using threads

    Supports IPv6

    94

    iperf parameters

  • 7/25/2019 DNS Resilient

    95/263

    Usage: iperf [-s|-c host] [options]iperf [-h|--help] [-v|--version]

    Client/Server:-f, --format [kmKM] format to report: Kbits, Mbits, KBytes, MBytes-i, --interval # seconds between periodic bandwidth reports-l, --len #[KM] length of buffer to read or write (default 8 KB)-m, --print_mss print TCP maximum segment size (MTU - TCP/IP header)-p, --port # server port to listen on/connect to-u, --udp use UDP rather than TCP-w, --window #[KM] TCP window size (socket buffer size)-B, --bind bind to , an interface or multicast address-C, --compatibility for use with older versions does not sent extra msgs-M, --mss # set TCP maximum segment size (MTU - 40 bytes)

    -N, --nodelay set TCP no delay, disabling Nagle's Algorithm-V, --IPv6Version Set the domain to IPv6

    Server specific:-s, --server run in server mode-U, --single_udp run in single threaded UDP mode-D, --daemon run the server as a daemon

    Client specific:-b, --bandwidth #[KM] for UDP, bandwidth to send at in bits/sec

    (default 1 Mbit/sec, implies -u)-c, --client run in client mode, connecting to -d, --dualtest Do a bidirectional test simultaneously-n, --num #[KM] number of bytes to transmit (instead of -t)-r, --tradeoff Do a bidirectional test individually-t, --time # time in seconds to transmit for (default 10 secs)-F, --fileinput input the data to be transmitted from a file-I, --stdin input the data to be transmitted from stdin-L, --listenport # port to recieve bidirectional tests back on-P, --parallel # number of parallel client threads to run-T, --ttl # time-to-live, for multicast (default 1)

    p p

    95

    iperf - TCP

  • 7/25/2019 DNS Resilient

    96/263

    $ iperf -s------------------------------------------------------------Server listening on TCP port 5001TCP window size: 85.3 KByte (default)------------------------------------------------------------[ 4] local 128.223.157.19 port 5001 connected with 201.249.107.39 port 39601[ 4] 0.0-11.9 sec 608 KBytes 419 Kbits/sec

    ------------------------------------------------------------

    # iperf -c nsrc.org

    ------------------------------------------------------------

    Client connecting to nsrc.org, TCP port 5001

    TCP window size: 16.0 KByte (default)

    ------------------------------------------------------------

    [ 3] local 192.168.1.170 port 39601 connected with 128.223.157.19 port 5001[ 3] 0.0-10.3 sec 608 KBytes 485 Kbits/sec

    p

    96

    iperf - UDP

  • 7/25/2019 DNS Resilient

    97/263

    # iperf -c host1 -u -b100M------------------------------------------------------------Client connecting to nsdb, UDP port 5001Sending 1470 byte datagramsUDP buffer size: 106 KByte (default)------------------------------------------------------------[ 3] local 128.223.60.27 port 39606 connected with 128.223.250.135 port 5001[ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec[ 3] Sent 81377 datagrams[ 3] Server Report:

    [ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec 0.184 ms 1/81378 (0.0012%)

    $ iperf -s -u -i 1------------------------------------------------------------Server listening on UDP port 5001Receiving 1470 byte datagramsUDP buffer size: 108 KByte (default)------------------------------------------------------------[ 3] local 128.223.250.135 port 5001 connected with 128.223.60.27 port 39606[ 3] 0.0- 1.0 sec 11.4 MBytes 95.4 Mbits/sec 0.184 ms 0/ 8112 (0%)[ 3] 1.0- 2.0 sec 11.4 MBytes 95.7 Mbits/sec 0.177 ms 0/ 8141 (0%)[ 3] 2.0- 3.0 sec 11.4 MBytes 95.6 Mbits/sec 0.182 ms 0/ 8133 (0%)...[ 3] 8.0- 9.0 sec 11.4 MBytes 95.7 Mbits/sec 0.177 ms 0/ 8139 (0%)[ 3] 9.0-10.0 sec 11.4 MBytes 95.7 Mbits/sec 0.180 ms 0/ 8137 (0%)[ 3] 0.0-10.0 sec 114 MBytes 95.7 Mbits/sec 0.184 ms 1/81378 (0.0012%)

    p

    97

    Bibliography

  • 7/25/2019 DNS Resilient

    98/263

    g p y

    Monitoring Virtual Memory with vmstat

    http://www.linuxjournal.com/article/8178 How to use TCPDump

    http://www.erg.abdn.ac.uk/users/alastair/tcpdump.html

    linux command tcpdump examplehttp://smartproteam.com/linux-tutorials/linux-command-tcpdump/

    simple usage of tcpdumphttp://linux.byexamples.com/archives/283/simple-usage-of-tcpdump/

    TCPDUMP Command man page with exampleshttp://www.cyberciti.biz/howto/question/man/tcpdump-man-page-with-examples.php

    TCPDump Tutorial

    http://inst.eecs.berkeley.edu/~ee122/fa06/projects/tcpdump-6up.pdf

    98

  • 7/25/2019 DNS Resilient

    99/263

    DNS THREATS

    99

    Cyber Threats

  • 7/25/2019 DNS Resilient

    100/263

    y

    Open Question What Cyber Threats

    Concern You?

    Disruption of DNS Resolution Services

    Falsified Registrant Information

    Someone Stealing Your Customer Data

    Hackers using Your Registry for BotNet Control

    100

    100

    Cyber Threat Categorization

  • 7/25/2019 DNS Resilient

    101/263

    Foothold

    Reconnaissance & Enumeration

    Privilege Escalation

    Corruption

    Disruption Data Exfiltration

    Persistence

    Malicious Use

    101

    Foothold Recon & Enum Priv Esc.

    Corruption

    Persistence

    Data Exfiltration

    Disruption

    Time & Effort

    Concurrency

    Malicious Use

    Some Attacks May Involve Multiple

    Categories

    Foothold

  • 7/25/2019 DNS Resilient

    102/263

    Initial attempts to access and establish a remote connection

    into the network Direct

    SQL Injection, Operating System Exploits

    Indirect

    Phishing Email with Malware Attachments Website Hosted Malware Installations

    Motivations

    Gain Access for Future Attacks

    102

    This is usually an

    enabling attack

    Foothold Attacks

  • 7/25/2019 DNS Resilient

    103/263

    These attacks will target your servers and

    workstations anything that is accessible over the

    network

    103

    NS

    Accessible Email, Web,

    Remote Administration, etc

    NS

    Foothold Attacks - Phishing

  • 7/25/2019 DNS Resilient

    104/263

    104

    fraudwatchinternational.com

    http://news.softpedia.com/news/PDF-Based-Targeted-Attack-

    Against-Military-Contractors-Spotted-212139.shtml

    Foothold Attacks MitigatingStrategies

  • 7/25/2019 DNS Resilient

    105/263

    Strategies

    Awareness & Education Phishing Exercises

    Intrusion Detection Systems

    Critical Application Code Reviews

    Externally Visible System & Application Patching Access Control White listing

    Conduct Regular Vulnerability Scans

    Finds common holes which an attacker can exploit

    Others?

    105

    Reconnaissance & Enumeration

  • 7/25/2019 DNS Resilient

    106/263

    The act of scanning a network to determine its layout,

    hosts, services, users, and other information whichmay be useful in a cyber attack Network Mapping

    Port Scanning

    Motivations Political : DNS Administrators May List Sensitive

    Information in Zone Comments Financial : Can be Used to Find Addresses That are NOT

    Currently Registered for Domain Squatting Malicious: Can be Used to Obtain Information for Use in

    Future Attacks

    106

    Reconnaissance & EnumerationAttacks

  • 7/25/2019 DNS Resilient

    107/263

    Attacks

    These attacks will target your externally visible

    servers, and potentially your internal network hosts

    as well

    107

    NS

    NS

    Business & Operations

    Networks

    Reconnaissance & EnumerationExample

  • 7/25/2019 DNS Resilient

    108/263

    Example

    Zone Transfer

    Used to Retrieve All Information From a DNS Server Normally Used by Secondary to Sync with Primary

    108

    C:\nslookup

    Default Server: ns1.example.net

    Address: 127.0.0.1

    > set type=any> ls -d example.net [dns1.example.net]

    example.net. SOA dns01.example.net test.dns02.example.net. (1

    3600 600 86400 3600)

    example.net. NS dns01.example.net

    example.net. NS dns02.example.net

    example.net. MX 10 email.example.net

    testpc TXT "payment processing computer"

    testpc A 10.10.10.2

    adminspc TXT Administrators PC"

    adminspc A 10.10.10.3

    test CNAME adminspc.test.net

    Other DNS Servers

    Reconnaissance & EnumerationExample

  • 7/25/2019 DNS Resilient

    109/263

    Example

    Zone Transfer

    Used to Retrieve All Information From a DNS Server Normally Used by Secondary to Sync with Primary

    109

    C:\nslookup

    Default Server: ns1.example.net

    Address: 127.0.0.1

    > set type=any> ls -d example.net [dns1.example.net]

    example.net. SOA dns01.example.net test.dns02.example.net. (1

    3600 600 86400 3600)

    example.net. NS dns01.example.net

    example.net. NS dns02.example.net

    example.net. MX 10 email.example.net

    testpc TXT "payment processing computer"

    testpc A 10.10.10.2

    adminspc TXT Administrators PC"

    adminspc A 10.10.10.3

    test CNAME adminspc.test.net

    Email Server

    Reconnaissance & EnumerationExample

  • 7/25/2019 DNS Resilient

    110/263

    Example

    Zone Transfer

    Used to Retrieve All Information From a DNS Server Normally Used by Secondary to Sync with Primary

    110

    C:\nslookup

    Default Server: ns1.example.net

    Address: 127.0.0.1

    > set type=any> ls -d example.net [dns1.example.net]

    example.net. SOA dns01.example.net test.dns02.example.net. (1

    3600 600 86400 3600)

    example.net. NS dns01.example.net

    example.net. NS dns02.example.net

    example.net. MX 10 email.example.net

    testpc TXT "payment processing computer"

    testpc A 10.10.10.2

    adminspc TXT Administrators PC"

    adminspc A 10.10.10.3

    test CNAME adminspc.test.net

    Potentially Sensitive Computers

    Identified by Comments

    Reconnaissance & EnumerationMitigating Strategies

  • 7/25/2019 DNS Resilient

    111/263

    Mitigating Strategies

    Access Control

    White Listing Restrict Zone Transfers to Only Trusted Secondary Servers

    Validate The Trusted Paths Used Transaction Signatures (TSIG) for Zone Transfers

    Network Monitoring Know Whos Looking at You

    Internal & External

    Block Repeated Offenders

    But dont worry about intermittent port scans or spend alot of time here IPs can change on a whim!

    Information Control Limit the available information (ports, banners, zone file)

    111

    Privilege Escalation

  • 7/25/2019 DNS Resilient

    112/263

    Obtaining credentials, beyond what is

    normally available, for the purpose of

    accessing systems or information

    Username / Password Cracking

    Social Engineering

    Exploiting Trust Relationships

    Motivations

    Gain Access to Information or for Future Attacks112

    Privilege Escalation Attacks

  • 7/25/2019 DNS Resilient

    113/263

    Privilege Escalation attacks will target systems or

    relationships that contain something of value.

    Value could be information, or perhaps, increased

    access to a system to perform another attack

    113

    NS

    NS

    Business & Operations

    Networks

    Privilege Escalation Examples

  • 7/25/2019 DNS Resilient

    114/263

    Password cracking can target your Operating Systems, Web

    Applications, even your Wireless Networks Password guessing and dictionary attacks are forms of password

    cracking short passwords and words found in_any_ language

    dictionary are susceptible.

    Trust Relationships with Service Providers Can be Abused

    How do you validate EPP requests from your registrars?

    Do you have business functions that rely on external providers (e.g.

    credit card processors) that can be abused?

    114

    Privilege Escalation MitigatingStrategies

  • 7/25/2019 DNS Resilient

    115/263

    Strategies

    Use Strong / Complex Passwords

    Operating System, Web Application, WiFi,_anything_ thatuses a password

    Use a passphrase, not a single dictionary word

    Network Monitoring

    Track failed login attempts Track usage of trusted paths (e.g. EPP requests)

    Intrusion Detection Systems Internal and External keep signatures up to date

    Anti-virus / Anti-spyware

    Others?

    115

    Corruption

  • 7/25/2019 DNS Resilient

    116/263

    Modifying information or content on a system or application

    Website Defacement

    Cache Poisoning

    Name Server Redirection

    Motivations Political : Make Public Statements on Behalf of Your ccTLD or the

    Government

    Financial: Data Ransoming Attacker May Try to Sell You the Key toUnlock Your Own Data

    Malicious: Hackers Want to Make a Name for Themselves, DenyService, or Redirect Users

    Accidental: Employees make mistakes!

    116

    011101001101

    Corruption Attacks

  • 7/25/2019 DNS Resilient

    117/263

    Corruption Attacks will Target Your Data Stores

    File Servers, Name Servers

    May Also Target Recursive Name Servers

    117

    NS

    NS

    Business & Operations

    Networks

    Insider too!

    Corruption Attacks

  • 7/25/2019 DNS Resilient

    118/263

    118

    http://www.rankmyhack.com/

    http://www.thehackernews.com/2011/08/rankmyhack-got-hacked-by-haxor.html

    So many defacements

    http://www.zone-h.org/archive/special=1

    Corruption Example

  • 7/25/2019 DNS Resilient

    119/263

    Name Server Registration Redirection

    Recall CheckFree.com!

    Non-Authoritative Spoofing

    Partido Colorado political statement made by

    one organization against another during an

    election

    119

    Attacker Modifies Upstream DNS Records

    www.partidocolorado.org. 3600 IN A

    66.249.01.121

    Corruption Example

  • 7/25/2019 DNS Resilient

    120/263

    Partido Colorado the ISP (Copaco) modified its own

    recursive name servers to redirect users looking forpartidocolorado.org

    120

    Attacker Modified Upstream DNS Records

    www.partidocolorado.org. 3600 IN A 66.249.01.121

    201.217.51.114

    Corruption Mitigating Strategies

  • 7/25/2019 DNS Resilient

    121/263

    External Monitoring

    Your Own Systems, and Recursive Systems But this may not be tractable for you

    Internal Monitoring Compare to Known Good (read-only!) Copy

    Implies you are making backups on a regular basis

    Two-Person Authorization for Critical Processes

    Detection Becomes Critical Monitor User / Registrant Communications Monitor Traffic Usage for Sites You Control

    A Significant and Sudden Drop in Traffic Could be a Problem Authenticate All External Requests for Updates

    Require two factor authentication for automated registration updates

    Out of band communication like fax, in-person, etc Communicate Issues with Upstream Server Operators

    Others?

    121

    Disruption

  • 7/25/2019 DNS Resilient

    122/263

    Denying, degrading, or otherwise limiting the

    availability of services provided by a system or

    application

    Packet Floods

    Deleting Operating System Files

    Motivations Malicious: Denial of Service

    Political: Denial of Service (Cyber Riots)

    Badge of Honor: DoS the Root DNS Servers

    Financial: Demonstrate Power of BotNet122

    Disruption Attacks

  • 7/25/2019 DNS Resilient

    123/263

    These attacks target your external servers and/or

    the links which service them Regular Queries

    How Many Queries per Second Can Your Servers Handle?

    How Much Bandwidth Do You Have?

    Targeting Your Single Points of Failure

    123

    NS

    NS

    Disruption Attacks

  • 7/25/2019 DNS Resilient

    124/263

    These attacks target your external servers and/or the links

    which service them; single points of failure

    124

    Limited Scale

    http://www.darkgovernment.com/news/tsa-data-analyst-planned-

    cyber-attack/

    http://www.ibtimes.com/articles/131421/20110406/anonymous-launches-

    ddos-attack-on-sony.htm

    Low Orbit Ion Cannon =Cyber Rioting

    Disruption Mitigating Strategies

  • 7/25/2019 DNS Resilient

    125/263

    Understand Where Your Single Failure Points

    Are Add Duplicate Servers and Capacity Where One

    Exists

    Geographic Separation / Anycasting Country Localized and Global Servers

    Ensure Automated Data Replication

    Close Contact with Service Providers

    Others?

    125

    Data Exfiltration

  • 7/25/2019 DNS Resilient

    126/263

    Copying data, that is not publicly accessible, from a

    network for malicious purposes

    Smash & Grab

    Corporate Espionage

    Motivations Malicious: Taint Reputation of a Registry

    Financial: Data Ransoming, Identity Theft

    126

    Data Exfiltration Attacks

  • 7/25/2019 DNS Resilient

    127/263

    These Attacks Target Your Internal Servers and

    Information - Stealing Anything of Value

    This is especially easy for an Insider someone who is

    authorized to be on your network, and conducts malicious

    activity

    127

    NS

    NS

    Business & Operations

    Networks

    Data Exfiltration Attacks

  • 7/25/2019 DNS Resilient

    128/263

    128

    http://www.privacyrights.org/data-breach

    http://datalossdb.org/

    These are just the reported onesNo corporate espionage here!

    Data Exfiltration Example

  • 7/25/2019 DNS Resilient

    129/263

    A Data Thief Targets a ccTLD

    Gains unauthorized access to customer database

    Copies the database of customer names, email addresses,phone numbers, addresses and credit card details

    Sells this information to others on the black market for $5

    per identity

    129

    A Purely Hypothetical Example

    Data Exfiltration Mitigating Strategies

  • 7/25/2019 DNS Resilient

    130/263

    Prevent Foothold and Privilege Escalation Attacks

    Keep Continuous Backups

    And Test Them!

    Enforce Strict Access Controls to Sensitive Data

    Does engineering need access to customer data?

    Consciously Decide to Keep Information on Servers

    Do you really need copies of customer data or just a

    single source of information?

    Network Monitoring

    Create a Baseline of Your Normal Traffic

    Continuously Compare Current Traffic to Baseline

    130

    Persistence

  • 7/25/2019 DNS Resilient

    131/263

    Establishing an unauthorized, constant, presence on the

    network and thwarting administrator removal attempts Root Kits

    Monitoring Administrator Actions

    Motivations

    Malicious: Desire to Stay Within Your Network to Gain AdditionalAccess or Perform Additional Attacks

    131

    011101001101

    Persistence Attacks

  • 7/25/2019 DNS Resilient

    132/263

    These Attacks May Target Any Host in Your Network,

    from Servers to Workstations

    Your External Service Providers are Not Immune Either!

    132

    NS

    NS

    Business & Operations

    Networks

    Persistence Example

  • 7/25/2019 DNS Resilient

    133/263

    An Attacker Compromises a Host Through

    Phishing

    Immediately installs a rootkit to hide evidence of

    a successful compromise

    Rootkit hides files, the interactive shell process,and the network ports which the attacker uses to

    access the compromised host

    133

    Persistence Attacks

  • 7/25/2019 DNS Resilient

    134/263

    134

    http://www.theregister.co.uk/2011/06/29/tdss_alureon_advances/http://www.computerworlduk.com/news/security/3288274/microsoft-warns-rootkit-

    infection-requires-windows-reinstall/?olo=rss

    Hides files, processes, network ports,

    provide backdoors, advanced C2 & P2P

    Persistence Mitigating Strategies

  • 7/25/2019 DNS Resilient

    135/263

    Anti-Virus and Anti-Spyware Scans

    Signatures Must Be Kept Updated

    Network Traffic Monitoring

    Create a Traffic Baseline

    Compare Current Traffic to that Baseline Proxy Server Logs, IDS, Traffic Logs, etc

    Intrusion Detection System

    Signatures for common root kits, unexpected encoded

    traffic, unexpected encrypted traffic

    Conduct Regular Vulnerability Scans

    Finds common holes which an attacker can exploit, finds

    common rootkit ports135

    Malicious Use

  • 7/25/2019 DNS Resilient

    136/263

    Using the DNS to propagate malware or conduct

    attacks in a malicious manner, yet consistent withthe DNS protocols

    BotNet Command & Control

    Amplification Attacks

    Motivations

    Malicious: Spreading malware through servers hiding

    behind fictitious DNS registrations

    Financial: For Hire BotNets use DNS for command and

    control

    136

    Malicious Use Attacks

  • 7/25/2019 DNS Resilient

    137/263

    These Attacks Do Not Necessarily Target Your

    External DNS Servers Rather, They Use YourServers to Conduct an Attack Elsewhere

    137

    NS

    NS

    Victim

    Malicious Use Example Conficker

  • 7/25/2019 DNS Resilient

    138/263

    Conficker - the Conficker worm appeared in late 2008, with

    most of the attention starting in Jan/Feb of 2009. The worm used pseudo-randomly generated domains from several top

    level domains (ccTLDs included) as its command and control points.

    The worm would contact servers on these random domains for

    instructions.

    138

    Malicious Use Example Angler

  • 7/25/2019 DNS Resilient

    139/263

    The Angler exploit kit has been active since 2014.

    Continuously updated with new 0-day exploits

    Domain shadowing - uses subdomains of legit domain

    names for command and control

    Rapidly shifts exploit pages on subdomains

    139

    http://blogs.cisco.com/security/talos/angler-domain-shadowing

    Malicious Use Mitigating Strategies

  • 7/25/2019 DNS Resilient

    140/263

    Define a Policy for Malicious Use

    How would you respond to requests to pre-register adomain name which might be used for maliciouspurposes?

    How do you validate registrant information?

    What are your domain takedown policy and procedures?

    Network Monitoring Know what your expected baseline is monitor for

    anomalies

    Limit Size of Query Responses

    Be a good steward of the Internet

    Others?

    140

    Putting it All Together

  • 7/25/2019 DNS Resilient

    141/263

    Phishing email530 emails, 57 clicked link

    Link to exploit site

    0-day exploit

    Malware installationData exfiltration round 1

    Initial Cleanup

    Dormant malware goes liveData exfiltration round 2

    141

    http://www.wired.com/threatlevel/2011/04/oak-ridge-lab-hack/

  • 7/25/2019 DNS Resilient

    142/263

    INCIDENT MANAGEMENT &

    RESPONSE

    14

    2

    Incident Management Introduction

  • 7/25/2019 DNS Resilient

    143/263

    Incident Management

    Introduction

    143

    Definitions and Acronyms

  • 7/25/2019 DNS Resilient

    144/263

    CSIRT Computer Security Incident Response Team

    Responsible for cyber incident response processes CERT Computer Emergency Response Team

    Also called Computer Emergency Readiness Team

    Often synonymous with the CSIRT/CIRT

    Can contain more functions and ops than a CSIRT 2nd and 3rd tier analysis

    Research

    Coordination

    Often associated with a country, industry, or community CIRT Computer Incident Response Team

    Similar to a CERT, often more company focused

    144

    Definitions and Acronyms

  • 7/25/2019 DNS Resilient

    145/263

    SOC Security Operations Center

    Primarily intrusion prevention and monitoringfunctions in the security domain

    NOC Network Operations Center Monitoring health and function of the network

    NOSC Network Operations and Security Center Combination of SOC and NOC

    IRT Incident Response Team Functional team found within a CERT, SOC, or NOSC

    Can also be a stand-alone team within a company

    IRP Incident Response Plan

    145

    Incident Response Vs. IncidentHandling

  • 7/25/2019 DNS Resilient

    146/263

    Whats the difference?

    Incident Response

    The technical, hands-on, what happened? work

    Incident Handling

    The project management, lead-the-team work

    Or, are they synonyms?

    Heated online battles by industry giants

    The NIST documentation says they aresynonymous

    You decide for yourself

    146

    Events and Incidents

  • 7/25/2019 DNS Resilient

    147/263

    Event vs. Incident

    Event: Any occurrence of any type

    Incident: Damage, Degradation, or Persistent Intent to do so

    Depends on your policy and thresholds

    Events may be:

    Unsuccessful access attempts

    Poor internal security activities

    Recon attempts (no impact)

    Anything that is currently investigated

    According NIST, Incidents include:

    Unauthorized Access Denial of service

    Presence of malicious logic

    Improper Usage147

    Introduction to Incident Response

  • 7/25/2019 DNS Resilient

    148/263

    The many different phases of Incident

    Response

    Preparation Identification Containment Eradication RecoveryLessonsLearned

    Detect

    Respond

    Prevent

    (Law Enforcement I.R.)Preparation

    Preservation

    Duplication

    Analysis

    Reporting

    148

    The Phases of Incident Response

  • 7/25/2019 DNS Resilient

    149/263

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    Hot-wash Damage Assessment Applying Lessons

    System RestoreRepeat Attack

    MonitoringIT/User Interaction

    Tool Usage Rootkits Polymorphic Code APT

    Deployment System Management Forensics

    Sensors Logs Traffic Flow Correlation Declaration

    Policy ManagementSupportInfo

    Sharing

    Law/

    MediaMetrics Exercise

    Phases Sub-Steps & Cons iderat ions

    149

    Preparation

  • 7/25/2019 DNS Resilient

    150/263

    Preparation is key. If you do

    not properly prepare, yourincident response team will

    experience failures when stress

    levels are high

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    150

    Detection & Analysis

  • 7/25/2019 DNS Resilient

    151/263

    When prevention methods fail,

    detection is your only way tofind out that something is

    happening. You will detect

    many events, but they can turninto incidents quickly

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    151

    Containment

    h k b d

  • 7/25/2019 DNS Resilient

    152/263

    The attacks must be stopped

    quickly before too muchdamage occurs. This is where

    forensics and defensive tactics

    come into play. Time is of theessence.

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    152

    Eradication

    d d

  • 7/25/2019 DNS Resilient

    153/263

    In order to prevent immediate

    re-infection, the systems mustbe purged of any artifacts left

    by the attacker. This is where

    they will be cleaned up.

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    153

    Recovery

    N i i b i h

  • 7/25/2019 DNS Resilient

    154/263

    Now its time to bring the

    systems back online and putthem into production (if you

    took them offline). If proper

    steps were taken, the systemshould be infection free.

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    154

    Lessons Learned

    Th i f

  • 7/25/2019 DNS Resilient

    155/263

    The importance of

    documenting what occurredcannot be understated. There

    are undoubtedly process

    improvements and policychanges that need to be made.

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    155

    Anatomy of Incident Response

  • 7/25/2019 DNS Resilient

    156/263

    In order to prevent immediate re-

    infection, the systems must be purged

    of any artifacts left by the attacker.

    This is where they will be cleaned up.

    Now its time to bring the systems

    back online and put them into

    production (if you took them offline). Ifproper steps were taken, the system

    should be infection free.

    The importance of documenting what

    occurred cannot be understated.

    There are undoubtedly process

    improvements and policy changes

    that need to be made.

    The attacks must be stopped quickly

    before too much damage occurs. This

    is where forensics and defensivetactics may come into play. Time is of

    the essence.

    When prevention methods fail,

    detection is your only way to find out

    that something is happening. Mostly,

    you will detect events, but they can

    turn into incidents quickly.

    Preparation is key. Failure to properly

    prepare your teams for incident

    handling will result in failures whenstress levels are high.

    Preparation

    Detection

    & Analysis

    Containment

    Eradication

    Recovery

    Lessons

    Learned

    156

    Where Does an IRT Fit In?

    Notional CIRT

  • 7/25/2019 DNS Resilient

    157/263

    Incident

    Response Team

    Full-timeDetection &

    Analysis

    Forensics

    Intelligence AdvancedTraffic

    Monitoring

    Legal, Management, Policy

    &Planning, Training,Exercise, Evaluation

    Notional CIRTYou may have

    some, all, or noneof these!

    157

  • 7/25/2019 DNS Resilient

    158/263

    INCIDENT RESPONSE

    Case Study

    15

    8

    The Backstory

  • 7/25/2019 DNS Resilient

    159/263

    You run a ccTLD registry

    You have a typical setup consisting of primary

    and secondary DNS servers and a registry service

    running on a web server.

    For simplicity assume the web and primary DNS areon the same server hosted in your office / data center

    You receive an urgent call from a registrant

    that their primary name servers have been re-

    delegated without their permission to a

    server hosted by 00webhost.com

    159

    Incident Response - Preparation

    What questions would you ask of

  • 7/25/2019 DNS Resilient

    160/263

    What questions would you ask of

    registrants to understand the issue? What technical measures would you

    take on your servers to determine

    what happened?

    A side discussion what

    logging/monitoring would you need

    to have in place to make sure you

    could answer those questions?

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    160

    Incident Response - Detection &Analysis

    For this case study assume your alerting

  • 7/25/2019 DNS Resilient

    161/263

    For this case study, assume your alerting

    tools didnt produce anything

    Your customer alerted you!

    For discussion:

    What would your tools tell you?

    Do you have visibility into:

    Login attempts (web, ssh, all other services)

    Current active connections to your servers

    Changes to data (zone file, high value domains)

    Changes to system (new users, cron jobs,installed programs, file system)

    Centralized logging and/or log files

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    161

    Incident Response - Tools

  • 7/25/2019 DNS Resilient

    162/263

    Live Forensics Toolset Brian Moran

    https://www.brimorlabs.com/tools/

    Excellent cheat sheets from Lenny Zeltser

    https://zeltser.com/cheat-sheets/

    162

    Incident Response - Detection &Analysis

    https://www.brimorlabs.com/tools/https://www.brimorlabs.com/tools/https://www.brimorlabs.com/tools/https://zeltser.com/cheat-sheets/https://zeltser.com/cheat-sheets/https://zeltser.com/cheat-sheets/https://www.brimorlabs.com/tools/
  • 7/25/2019 DNS Resilient

    163/263

    You find the following as part of your analysis. What stands

    out? cat /etc/passwd

    cat /etc/group

    root@kali:~# cat /etc/passwd

    root:x:0:0:root:/root:/bin/bash

    daemon:x:1:1:daemon:/usr/sbin:/bin/sh

    dns:x:124:124::dns:/bin/bash

    test:x:125:125:test:/bin/bashdnsadmin:x:126:126:dnsadmin:/bin/bash

    root@kali:~# cat /etc/group

    root:x:0:daemon:x:1:

    admin:x:111:dnsadmin,test,dns

    stunnel4:x:129:

    sambashare:x:130:

    163

    Incident Response - Detection &Analysis

  • 7/25/2019 DNS Resilient

    164/263

    You find the following as part of your analysis. What stands

    out? cat /var/log/auth.log

    But wait cat /var/log/auth.log.1 dont forget log rotations

    Sep 2 06:25:47 kali CRON[4240]: pam_unix(cron:session): session closed for user root

    Sep 2 06:28:56 kali sshd[4126]: Received disconnect from ::1: 11: disconnected by user

    Sep 2 06:28:56 kali sshd[4126]: pam_unix(sshd:session): session closed for user root

    Sep 2 05:47:26 kali dbus[2947]: [system] Rejected send message, 2 matched rules; type="method_call",

    sender=":1.27" (uid=123 pid=3632 comm="/usr/lib/gdm3/gdm-simple-greeter ") Sep 2 05:47:49 kali gdm3][3645]:

    pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=root

    Sep 2 05:47:57 kali gdm3][3652]: pam_unix(gdm3:auth): authentication failure; logname= uid=0 euid=0 tty=:0

    ruser= rhost= user=root

    Sep 2 05:48:03 kali gdm3][3654]: pam_unix(gdm3:session): session opened for user root by (uid=0)

    Sep 2 05:48:03 kali gdm3][3654]: pam_ck_connector(gdm3:session): nox11 mode, ignoring PAM_TTY :0

    Sep 2 05:48:03 kali gdm-welcome][3235]: pam_unix(gdm-welcome:session): session closed for user Debian-gdm

    Sep 2 05:48:03 kali polkitd(authority=local): Unregistered Authentication Agent for unix-

    session:/org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path

    /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)

    Sep 2 06:28:20 kali gnome-keyring-daemon[3658]: unsupported key algorithm in certificate: 1.2.840.10045.2.1

    Sep 2 06:18:21 kali sshd[4126]: Accepted password for test from port 55019 ssh2

    Sep 2 06:18:21 kali sshd[4126]: pam_unix(sshd:session): session opened for user test by (uid=125)

    Sep 2 06:25:01 kali CRON[4240]: pam_unix(cron:session): session opened for user root by (uid=0)

    Sep 2 06:32:31 kali CRON[4086]: pam_unix(cron:session): session opened for user test by (uid=125)

    Sep 2 06:42:22 kali CRON[4086]: pam_unix(cron:session): session closed for user test164

  • 7/25/2019 DNS Resilient

    165/263

    Incident Response - Detection &Analysis

  • 7/25/2019 DNS Resilient

    166/263

    You find the following as part of your analysis. What stands

    out? cat /var/log/syslog

    Sep 3 17:03:07 NS1 named[965]: listening on IPv4 interface eth0, 192.168.201.105#53

    Sep 3 17:17:01 NS1 CRON[2734]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)

    Sep 3 18:17:01 NS1 CRON[2978]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)Sep 3 19:17:01 NS1 CRON[3222]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)

    Sep 3 20:17:01 NS1 CRON[3599]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)Sep 3 20:58:52 NS1 init: tty1 main process ended, respawning

    Sep 3 21:01:54 NS1 crontab[3971]: (test) BEGIN EDIT (test)Sep 3 21:03:14 NS1 crontab[3971]: (test) REPLACE (test)

    Sep 3 21:03:14 NS1 crontab[3971]: (test) END EDIT (test)

    Sep 3 21:03:20 NS1 crontab[4002]: (test) LIST (test)Sep 3 21:04:13 NS1 crontab[4019]: (root) BEGIN EDIT (root)

    Sep 3 21:04:17 NS1 crontab[4019]: (root) END EDIT (root)

    Sep 3 21:05:47 NS1 crontab[4059]: (root) BEGIN EDIT (root)

    Sep 3 21:06:03 NS1 crontab[4059]: (root) REPLACE (root)Sep 3 21:06:03 NS1 crontab[4059]: (root) END EDIT (root)

    166

    Incident Response - Detection &Analysis

    f d h f ll f l h d

  • 7/25/2019 DNS Resilient

    167/263

    You find the following as part of your analysis. What stands

    out? cat /etc/crontab also crontabe -lroot@kali:~# cat /etc/crontab

    # /etc/crontab: system-wide crontab

    # Unlike any other crontab you don't have to run the `crontab'# command to install the new version when you edit this file

    # and files in /etc/cron.d. These files also have username fields,

    # that none of the other crontabs do.

    SHELL=/bin/sh

    PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

    # m h dom mon dow user command

    17 * * * * root cd / && run-parts --report /etc/cron.hourly

    25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report/etc/cron.daily )

    47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report

    /etc/cron.weekly )52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report

    /etc/cron.monthly )

    55 0 0,12 * * * test nc l p 8080 e /bin/bash#

    167

  • 7/25/2019 DNS Resilient

    168/263

    Incident Response - Detection &Analysis

    Y fi d h f ll i f l i Wh d

  • 7/25/2019 DNS Resilient

    169/263

    You find the following as part of your analysis. What stands

    out? cd /home && findcmin -10 (enter whatever time you need

    here)

    find /homenewermt 2015-09-03 00:00:00 ! newermt

    2015-09-04 00:00:00

    root@NS1:/# cd /home && find -cmin -10

    ./test

    ./test/tmp

    ./test/tmp/hspferdata_test

    ./test/tmp/hspferdata_test/rnicks.e

    ./test/tmp/hspferdata_test/rversions.e

    ./test/tmp/hspferdata_test/rinsult.e

    ./test/tmp/hspferdata_test/16148

    ./test/tmp/hspferdata_test/fa.out

    ./test/tmp/hspferdata_test/cron.d

    169

    Incident Response - Detection &Analysis

    Y fi d th f ll i t f l i Wh t t d

  • 7/25/2019 DNS Resilient

    170/263

    You find the following as part of your analysis. What stands

    out? Login as test user then, history

    What does this indicate?

    170

    test@NS1:~$ history

    1 history

  • 7/25/2019 DNS Resilient

    171/263

    Incident Response - Containment

    What would you do to fix this and

  • 7/25/2019 DNS Resilient

    172/263

    What would you do to fix this and

    prevent the attacker fromcontinuing an attack?

    Lots of options pros and const

    Shut down the system entirely

    Disable root and/or test accounts

    Reset passwords on all accounts

    Kill active ssh session

    Remove crontab entry

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    172

    Incident Response - Eradication

    What would you do to clean up the

  • 7/25/2019 DNS Resilient

    173/263

    What would you do to clean up the

    mess? Search for and remove recently created

    files?

    Delete any user accounts not

    recognized Lock down SSH to be only accessible by

    user account and/or IP address

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    173

  • 7/25/2019 DNS Resilient

    174/263

    Incident Response - Lessons Learned

    For discussion:

  • 7/25/2019 DNS Resilient

    175/263

    For discussion:

    How would you get notified ofthis attack without relying on the

    customer?

    Did your response actions work?

    Did you have enough staff to

    handle the response?

    Preparation

    Detection &Analysis

    Containment

    Eradication

    Recovery

    LessonsLearned

    175

  • 7/25/2019 DNS Resilient

    176/263

    Resiliency

    protection and sustainabilityof

  • 7/25/2019 DNS Resilient

    177/263

    p ycritical services, associatedbusiness processes, and assets

    177

    Service

    Process Process

    Assets

    PEOPLE INFORMATION FACILITIESTECHNOLOGY

    Adapted from SEI | CERT Resiliency Management Model

  • 7/25/2019 DNS Resilient

    178/263

    Resiliency Activities

    Resilienc is being able to react to stress

  • 7/25/2019 DNS Resilient

    179/263

    Resiliency is being able to react to stress

    without breaking

    Many different ways of being resilient

    Several frameworks exist to help guide your

    resiliency activities

    179

    NIST SP 800-53 SANS / CSC Top 20

    ASD Mitigation Strategies ISO 27002

    And many others!

    https://web.nvd.nist.gov/view/800-53/homehttps://www.sans.org/critical-security-controls/http://http/www.asd.gov.au/publications/protect/top_4_mitigations.htmhttp://www.27000.org/iso-27002.htmhttp://www.27000.org/iso-27002.htmhttp://http/www.asd.gov.au/publications/protect/top_4_mitigations.htmhttps://www.sans.org/critical-security-controls/https://web.nvd.nist.gov/view/800-53/home
  • 7/25/2019 DNS Resilient

    180/263

    Resiliency Frameworks

    CSC (SANS) Top 20

  • 7/25/2019 DNS Resilient

    181/263

    CSC (SANS) Top 20

    20 things you can do today, includes guidance, recommended tools,implementation ideas

    Consensus of community experts

    ASD Mitigation Strategies 35 things you can do to increase resiliency

    Based on things that would have stopped 85% of the attacks that ASD

    responded to

    Use these if you have limited resources and need to know

    where to get started

    181

    ASD Examples

  • 7/25/2019 DNS Resilient

    182/263

    Top 4 Application whitelisting

    Patch application

    Patch OS

    Restrict administrative

    privileges

    Others Application hardening

    Host-Based IDS

    Disable local administrator

    accounts

    Network segmentation

    Multi-factor authentication

    Application firewalls

    Web filtering

    Strong passwords Network traffic capture

    Event logging

    182

  • 7/25/2019 DNS Resilient

    183/263

  • 7/25/2019 DNS Resilient

    184/263

    Resiliency in Practice Redundancy

    Having multiple copies of something

  • 7/25/2019 DNS Resilient

    185/263

    Having multiple copies of something

    DNS servers, service provider links, payment

    systems, data backups, others?

    Doesnt need to be running at the same time

    But it does need to be available on short notice

    Your recovery time objectives will say how much

    short notice is acceptable!

    185

  • 7/25/2019 DNS Resilient

    186/263

    Secure Operations Framework

    A Process for Conducting Secure Operations

  • 7/25/2019 DNS Resilient

    187/263

    A Process for Conducting Secure Operations

    Within Your Registry

    187

    Monitor Detect

    Respond

    RecoverAnalyze

    Baseline

    Secure Operations Framework

    Viewed as a Timeline:

  • 7/25/2019 DNS Resilient

    188/263

    Viewed as a Timeline:

    188

    Baseline Monitor Detect Analyze RecoverRespond

    Do This

    Before This

    Your Detection

    Time May Vary

    ATTACKQuick!

    Stop Effect

    Prevent

  • 7/25/2019 DNS Resilient

    189/263

    Establishing a Baseline

    Architecture Baseline

  • 7/25/2019 DNS Resilient

    190/263

    Architecture Baseline

    Hosts, Services, Ports, Connections, Addresses

    This is frequently a network architecture

    diagram, but could be a text document, or

    part of your network monitoring solution

    190

    Establishing a Baseline

    Architecture Baseline

  • 7/25/2019 DNS Resilient

    191/263

    Architecture Baseline

    Document your host configurations, operating

    systems, applications, versions, etc

    Ideally you want something you can reference

    quickly during attack analysis e.g. Can you quickly answer the question:

    191

    Is my web server vulnerable to thelatest Apache vulnerability?

    Establishing a Baseline

    Architecture Baseline Tools

  • 7/25/2019 DNS Resilient

    192/263

    Architecture Baseline Tools

    Visio

    Paper / Pencil!

    NAGIOS, OpenNMS, HP Openview, etc

    Lots of tools available the hardest part is

    actually doing it!

    192

    Establishing a Baseline

    Traffic Baseline

  • 7/25/2019 DNS Resilient

    193/263

    Traffic Baseline

    What kind, how much, source / destination, andusual time

    This is more difficult to capture but is critical

    to determining if something is expected ornot

    193

    Establishing a Baseline

    External Traffic Baseline

  • 7/25/2019 DNS Resilient

    194/263

    How much traffic (packets per second, megabits persecond, etc) is normal on your external links?

    What kind of traffic to external servers (e.g. do younormally have SSH connections to your DNS servers?)

    Internal Traffic Baseline Which hosts or applications communicate?

    What protocols do they use?

    How much traffic do they produce?

    When do they do it?

    194

    Establishing a Baseline

    Traffic Baseline

  • 7/25/2019 DNS Resilient

    195/263

    Traffic Baseline

    Again, ideally, you will have this informationreadily available during the analysis phase

    For example, can you easily answer the question:

    195

    Is a SSH connection to my DNS server at

    0330 on a Saturday normal?

    Establishing a Baseline

    Traffic Baseline Tools

  • 7/25/2019 DNS Resilient

    196/263

    NetFlow Wireshark

    Tcpdump

    Iperf, dnsperf

    Again, lots of tools available, the hard part is notonly capturing the baseline traffic, but putting it

    into a format you can reference Graphing and statistical analysis tools can help here!

    SmokePing, NetFlow Analyzer

    196

    Establishing a Baseline

    People Baseline

  • 7/25/2019 DNS Resilient

    197/263

    p

    How do your customers interact with your network? Web application for processing registration?

    Do you typically see people login at 0330?

    How do your administrators interact with yournetwork?

    What hosts do they connect to, what protocols do they use,when do they do it?

    How do your local users interact with your network? What hosts are they _supposed_ to be on, what hosts do

    they communicate with, when?

    How do your external users interact with yournetwork?

    What servers do they connect to, what protocols?

    197

    Establishing a Baseline

    People Baseline

  • 7/25/2019 DNS Resilient

    198/263

    People Baseline

    Again, ideally, you will have this informationreadily available during the analysis phase

    For example, can yo